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| welcome the publication of these Guidelines by the European Data Protection Board. They 
provide for important and helpful practical advice when applying Art. 4 (24) and Art. 60 (4, 5) 
of the GDPR. | would like to make three comments in order to further clarify the text: 


1. Para. 15 seems to be incomplete (possibly a typo). At the end of the phrase ,,are 
irrelevant“ or another wording to this effect should be inserted. 


2. Para. 28 in its present wording suggests that there is always a clear-cut distinction 
between investigations triggered by complaints or reports by concerned supervisory 
authorities on one hand and ex officio investigations on the other. It is however conceivable 
that a complaint or report leads the addressed supervisory authority to initiate an ex officio 
investigation into processing of personal data which goes well beyond the original complaint 
or report because a systematic disregard of legal requirements has come to light when 
following up the original complaint or report. Nothing in the Regulation seems to prevent 
the supervisory authority to launch a broader ex officio procedure which cannot reasonably 
be separated from the original complaint or report. This could be reflected in the text by an 
inserted phrase before the sentence beginning „As mentioned above.,...“ along these lines: 


„The same applies in cases where a supervisory authority dealing with a complaint or report 
by another authority takes the view that an ex officio investigation is necessary to deal with 
systematic compliance issues going beyond the specific complaint or report.“ 


3. With regard to paras. 44 et seq. of the Guidelines two observations should be made: 


The Guidelines in para. 44 rightly stress that „an objection demonstrating risks posed to the 
free flow of personal data, but not to the rights and freedoms of data subjects, will not be 
considered as meeting the threshold set by Article 4(24) GDPR.“ This is in line with the aim of 





the Union legislature to prevent any barrier to transborder flows of personal data within the 
European Union as long as they are processed in accordance with the Regulation. 


Paras. 47 and 48 do not seem to fully reflect this reasoning and should therefore be clarified. 


The example of ,,language requirements“ in para. 47, although it is linked to a specific region 
within the EU, could be misunderstood to the effect that any language requirement is not in 
line with the GDPR and therefore poses a risk to the free flow of personal data. Art 12 (1) 
GDPR requires the information of the data subject with regard to his rights in „a concise, 
transparent, intelligible and easily accessible form, using clear and plain language.” Although 
this probably does not entail a strict legal obligation of a controller from outside the EU to 
inform the data subject in his mother tongue it seems appropriate for supervisory 
authorities to consider such an ,,expectation“ to be at least a best practice. Therefore the 
example of language requirements in para. 47 should either be deleted or further clarified to 
avoid misunderstandings. 


In para. 48 of the Guideline the EU level playing field is invoked. This is correct in principle. 
However, a reference should be made to areas (sectors of processing) where the Union 
legislature has left certain balancing decisions to Member States (e.g. in the field of freedom 
of expression and freedom of information as well as access to documents, Arts. 85 and 86 
GDPR). It seems therefore advisable to modify para. 48 by adding a reference to such areas 
where Member States have been given certain room for manoeuvre by the GDPR itself. 
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